Outlook 2007 SPA authentification problem solved (NTLM plugin bug)
Ken Murchison
murch at andrew.cmu.edu
Thu May 8 12:22:59 EDT 2008
CHCNET Consulting wrote:
> Hi list,
>
> I've patched the ntlm plugin, to support also Outlook 2007, which uses a
> slightly different approach to authenticate. All Outlook versions prior
> to 2007 using a two-stage method: first they try to authenticate with
> the username and windows domain instead of the maildomain (which of
> course doesn't work, unless we have in our sasdb user at NTDOMAIN). Outlook
> 2007 changed this method to username at maildomain.com. I.e. the NTLM auth
> is sent with username and client domain, where client domain is finally
> correctly our email domain!
>
> But this needs a change in the sasl ntlm plugin, otherwise you never get
> the client domain into your checks, but only username at mailserver:
Here's my alternate patch which first tries a fully qualified username
(using the supplied domain), and if no password exists for this
username, we fall back to using the unqualified username. Please try
this with your deployment.
--- ntlm.c.~1.32.~ 2008-01-24 10:22:24.000000000 -0500
+++ ntlm.c 2008-05-08 12:17:27.000000000 -0400
@@ -1552,14 +1552,52 @@
result = sparams->utils->prop_request(sparams->propctx,
password_request);
if (result != SASL_OK) goto cleanup;
- /* this will trigger the getting of the aux properties */
- result = sparams->canon_user(sparams->utils->conn, authid, authid_len,
- SASL_CU_AUTHID | SASL_CU_AUTHZID, oparams);
- if (result != SASL_OK) goto cleanup;
+ if (domain) {
+ /* see if we have a fully qualified username */
+ char *fq_authid = sparams->utils->malloc(authid_len+domain_len+2);
+
+ if (!fq_authid) {
+ MEMERROR(sparams->utils);
+ result = SASL_NOMEM;
+ goto cleanup;
+ }
+
+ sprintf(fq_authid, "%.*s@%.*s",
+ authid_len, authid, domain_len, domain);
+ sparams->utils->log(NULL, SASL_LOG_DEBUG,
+ "canonicalizing: %s", fq_authid);
+
+ /* this will trigger the getting of the aux properties */
+ result = sparams->canon_user(sparams->utils->conn,
+ fq_authid, strlen(fq_authid),
+ SASL_CU_AUTHID | SASL_CU_AUTHZID,
+ oparams);
+ sparams->utils->free(fq_authid);
+ if (result != SASL_OK) goto cleanup;
+
+ result = sparams->utils->prop_getnames(sparams->propctx,
+ password_request,
+ auxprop_values);
+ }
+ if (!domain || result < 0 ||
+ (!auxprop_values[0].name || !auxprop_values[0].values)) {
+ /* We didn't find the fully qualified username,
+ try the unqualified username */
+ sparams->utils->log(NULL, SASL_LOG_DEBUG,
+ "canonicalizing: %s", authid);
+
+ /* this will trigger the getting of the aux properties */
+ result = sparams->canon_user(sparams->utils->conn,
+ authid, authid_len,
+ SASL_CU_AUTHID | SASL_CU_AUTHZID,
+ oparams);
+ if (result != SASL_OK) goto cleanup;
+
+ result = sparams->utils->prop_getnames(sparams->propctx,
+ password_request,
+ auxprop_values);
+ }
- result = sparams->utils->prop_getnames(sparams->propctx,
- password_request,
- auxprop_values);
if (result < 0 ||
(!auxprop_values[0].name || !auxprop_values[0].values)) {
/* We didn't find this username */
--
Kenneth Murchison
Systems Programmer
Project Cyrus Developer/Maintainer
Carnegie Mellon University
More information about the Cyrus-sasl
mailing list